Page 92 - Cyber Defense eMagazine for July 2020
P. 92
Iphone Extraction Without A Jailbreak
Imaging the file system and decrypting the keychain from iOS devices without jailbreaking
By Oleg Afonin, Security Researcher, ElcomSoft Co.Ltd.
Traditionally, forensic experts without access to proprietary technologies had relied upon jailbreaks to
perform the lowest-level extraction of Apple iOS devices. Using jailbreaks, even advanced ones exploiting
hardware vulnerabilities, presents a number of challenges. In this article, we are offering an alternative
method for accessing the content of iOS devices that does not require jailbreaking.
Jailbreak-based acquisition
Before covering jailbreak-free extraction, let’s talk about jailbreaks.
Why is a jailbreak needed during the course of file system extraction? Jailbreaking the device allows
experts to raise privileges to the level required to access the protected file system on the device, which
is simply not possible on Apple devices without superuser access. In addition, a jailbreak was the only
way to extract and decrypt the complete content of the keychain containing all of the user’s saved
password and things such as certificates, identities and encryption keys (e.g. keys to encrypted
databases of third-party password managers). In other words, a jailbreak was (and still is) used to obtain
the required level of privileges for accessing things such as application sandboxes, stored passwords
and encryption keys.
Cyber Defense eMagazine –July 2020 Edition 92
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.